IT security is becoming more of a high profile problem in the education sector. Two recent examples highlight the issue - the hacking incident at Winchester College that sparked the investigation by the Office of Fair Trading and the recent media furore about students cheating by copying coursework from the Internet. While we have already reported both topics in previous issues, it seems that educational buyers are now starting to pay more attention to issues around IT security.

As we reported last September Turniitin, the plagiarism prevention software used by the Joint Information Systems Committee (JISC), is now one of the systems being considered for use in checking the coursework of secondary school students. Similarly, the hacking incident at Winchester College has seen renewed interest in products that can be used to improve network and data security.

One of the largest players in this market is Oxford-based Sophos, who develop products and services to protect IT assets from viruses, hacking or fraud – and no we don’t get a kickback for saying this. Even with the best kit, no system, whether in schools or in those who supply this market, can ever be 100% secure when people are involved. So rather than relying on technology as the frontline of their IT defence, many companies now focus on Human Resources as the key to their IT and general security plans. While teachers and staff in schools must be CRB checked, the issue of security for IT and data falls into three parts:

• Physical security in your premises applied not just to staff but also to contractors and suppliers. This must include things like password systems, monitoring web and email usage, identity passes (including checking and revocation), restricted areas, physical and electronic guarding, surveillance cameras, etc

• Security vetting of all contractors and suppliers. This is more than pre-employment reference checks and should include the mandatory disclosures of any convictions or pending charges after the initial check has been passed. Contractors and suppliers, especially in the IT areas, must be able to prove they hold appropriate insurance and professional qualification/certification

• Contracts - all staff, suppliers, and contractors (including sub-contractors) must have signed an appropriate contract.

Security problems like employee theft and shoplifting are impossible to prevent if someone is particularly determined and has little fear of the consequences. What the Winchester College example highlights is just how vulnerable all organisations can be because of the growing need to store information and intellectual property. Moreover, you must remember that the greatest threat is not external, but comes from within.

• www.jisc.ac.uk

• www.sophos.com

• www.turnitin.com